#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website  : https://cisofy.com
# Blog     : https://linux-audit.com/
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# NFS
#
#################################################################################
#
    InsertSection "NFS"
#
#################################################################################
#
    NFS_DAEMON_RUNNING=0
    NFS_EXPORTS_EMPTY=0
#
#################################################################################
#
    # Test        : STRG-1902
    # Description : Check rpcinfo
    if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check rpcinfo registered programs"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking rpcinfo registered programs"
        FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${TRBINARY} -s ' ' ',')
        for I in ${FIND}; do
            LogText "rpcinfo: ${I}"
        done
        Display --indent 2 --text "- Query rpc registered programs" --result "${STATUS_DONE}" --color GREEN
    fi
#
#################################################################################
#
    # Test        : STRG-1904
    # Description : Check nfs versions in rpcinfo
    if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking NFS registered versions"
        FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort)
        for I in ${FIND}; do
            LogText "Found version: ${I}"
        done
        Display --indent 2 --text "- Query NFS versions" --result "${STATUS_DONE}" --color GREEN
    fi
#
#################################################################################
#
    # Test        : STRG-1906
    # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
    if [ -n "${RPCINFOBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check nfs rpc"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking NFS registered protocols"
        FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort)
        for I in ${FIND}; do
            LogText "Found protocol: ${I}"
        done
        if [ -z "${FIND}" ]; then
            LogText "Output: no NFS protocols found"
        fi

        # Check port number
        LogText "Test: Checking NFS registered ports"
        FIND=$(${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort)
        for I in ${FIND}; do
            LogText "Found port: ${I}"
        done
        if [ -z "${FIND}" ]; then
            LogText "Output: no NFS port number found"
        fi
        Display --indent 2 --text "- Query NFS protocols" --result "${STATUS_DONE}" --color GREEN
    fi
#
#################################################################################
#
    # Test        : STRG-1920
    # Description : Check for running NFS daemons
    Register --test-no STRG-1920 --weight L --network NO --category security --description "Checking NFS daemon"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Checking running NFS daemon"
        FIND=$(${PSBINARY} ax | ${GREPBINARY} "nfsd" | ${GREPBINARY} -v "grep")
        if [ -z "${FIND}" ]; then
            LogText "Output: NFS daemon is not running"
            Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
        else
            LogText "Output: NFS daemon is running"
            Display --indent 2 --text "- Check running NFS daemon" --result "${STATUS_FOUND}" --color GREEN
            NFS_DAEMON_RUNNING=1
        fi
    fi
#
#################################################################################
#
    # Test        : STRG-1924
    # Description : Check missing nfs in rpcinfo while NFS is running
    #Register --test-no STRG-1924 --weight L --network NO --category security --description "Checking NFS daemon"
    #if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
    # Test        : STRG-1926
    # Description : Check NFS exports
    if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking NFS exports"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: check /etc/exports"
        if [ -f ${ROOTDIR}etc/exports ]; then
            LogText "Result: ${ROOTDIR}etc/exports exists"
            FIND=$(${GREPBINARY} -v "^$" ${ROOTDIR}etc/exports | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/ /!space!/g')
            if [ -n "${FIND}" ]; then
                for I in ${FIND}; do
                    I=$(echo ${I} | ${SEDBINARY} 's/!space!/ /g')
                    LogText "Found line: ${I}"
                done
            else
                LogText "Result: ${ROOTDIR}etc/exports does not contain exported file systems"
                NFS_EXPORTS_EMPTY=1
            fi
            Display --indent 4 --text "- Checking ${ROOTDIR}etc/exports" --result "${STATUS_FOUND}" --color GREEN
        else
            LogText "Result: file /etc/exports does not exist"
            Display --indent 4 --text "- Checking ${ROOTDIR}etc/exports" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
    fi
#
#################################################################################
#
    # Test        : STRG-1928
    # Description : Check for empty exports file while NFS is running
    if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking empty /etc/exports"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
            Display --indent 6 --text "- Checking empty /etc/exports" --result "${STATUS_SUGGESTION}" --color YELLOW
            LogText "Result: ${ROOTDIR}etc/exports seems to have no exported file systems"
            ReportSuggestion "${TEST_NO}" "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
        fi
    fi
#
#################################################################################
#
    # Test        : STRG-1930
    # Description : Check client access to nfs share
    if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check client access to nfs share"
    if [ ${SKIPTEST} -eq 0 ]; then
        sFIND=$(${SHOWMOUNTBINARY} -e | ${AWKBINARY} '{ print $2 }' | ${SEDBINARY} '1d' | ${GREPBINARY} "\*")
        if [ -n "${sFIND}" ]; then
            LogText "Result: all client are allowed to access a NFS share in /etc/exports"
            Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
            ReportSuggestion "${TEST_NO}" "Specify clients that are allowed to access a NFS share /etc/exports"
            AddHP 2 3
        else
            LogText "Result: only some clients are allowed to access a NFS share"
            Display --indent 4 --text "- Checking NFS client access" --result "${STATUS_OK}" --color GREEN
            AddHP 3 3
        fi
    fi
#
#################################################################################
#

WaitForKeyPress

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
